Permalink
Browse files

Fix: xml: Prevent use-after-free in cib_process_xpath()

  • Loading branch information...
1 parent 28d1549 commit 48932af70e17faf587ef2799a20337f2184ac44e @beekhof committed Mar 21, 2013
Showing with 10 additions and 1 deletion.
  1. +10 −1 lib/common/xml.c
View
@@ -2904,7 +2904,7 @@ freeXpathObject(xmlXPathObjectPtr xpathObj)
}
for(lpc = 0; lpc < max; lpc++) {
- if (xpathObj->nodesetval->nodeTab[lpc]->type != XML_NAMESPACE_DECL) {
+ if (xpathObj->nodesetval->nodeTab[lpc] && xpathObj->nodesetval->nodeTab[lpc]->type != XML_NAMESPACE_DECL) {
xpathObj->nodesetval->nodeTab[lpc] = NULL;
}
}
@@ -2925,11 +2925,20 @@ getXpathResult(xmlXPathObjectPtr xpathObj, int index)
if (index >= max) {
crm_err("Requested index %d of only %d items", index, max);
return NULL;
+
+ } else if(xpathObj->nodesetval->nodeTab[index] == NULL) {
+ /* Previously requested */
+ return NULL;
}
match = xpathObj->nodesetval->nodeTab[index];
CRM_CHECK(match != NULL, return NULL);
+ if (xpathObj->nodesetval->nodeTab[index]->type != XML_NAMESPACE_DECL) {
+ /* See the comment for freeXpathObject() */
+ xpathObj->nodesetval->nodeTab[index] = NULL;
+ }
+
if (match->type == XML_DOCUMENT_NODE) {
/* Will happen if section = '/' */
match = match->children;

0 comments on commit 48932af

Please sign in to comment.